diff --git a/data/module_source/situational_awareness/host/Invoke-Paranoia.ps1 b/data/module_source/situational_awareness/host/Invoke-Paranoia.ps1 new file mode 100644 index 0000000..f472e64 --- /dev/null +++ b/data/module_source/situational_awareness/host/Invoke-Paranoia.ps1 @@ -0,0 +1,70 @@ +function Invoke-Paranoia { + param( + [String[]] $watchUsers, + [String[]] $watchProcesses, + [String[]] $watchGroups + + ) + + $defaultprocesses = @("taskmgr.exe", "mmc.exe", "wireshark.exe", "tcpview.exe", "procdump.exe", "procexp.exe", "procmon.exe", "netstat.exe", "psloggedon.exe", "logonsessions.exe", "processhacker.exe", "autoruns.exe", "autorunsc.exe") + $watchProcesses = $watchProcesses + $defaultprocesses + $defaultgroups = @("Domain Admins") + $watchGroups = $watchGroups + $defaultgroups + $groups_members = @{} + + function get_groupmembers { + param([String[]] $groups) + + $root=([ADSI]"").distinguishedName + $enumd_groups = @{} + $groups | foreach { + $to_search = $_ + $enumd_groups.Add($to_search, @()) + $group = [ADSI]("LDAP://CN=" + $to_search + ", CN=Users,$root") + $group.member|foreach { + $enumd_groups[$to_search] += $_.split(",")[0].split("=")[1] + } + } + return $enumd_groups + } + + function process_proc { + param($proc,$group_members) + $userdom = ($proc.getOwner().Domain + "\" + $proc.getOwner().User).tolower() + $watchUsers | foreach { + if ($userdom -eq $_.tolower()) { + "USER_DETECTED: $userdom : "+ $proc.name + "`n" + } + if ($proc.getOwner().Domain.tolower() -eq $env:COMPUTERNAME -and $proc.getOwner().User.tolower() -eq $_) { + "USER_DETECTED_LOCAL: $userdom : "+ $proc.name + "`n" + } + } + foreach ($group in $group_members.keys) { + foreach ($user in $group_members[$group]) { + if ($proc.getOwner().User.tolower() -eq $user.tolower() -and $proc.getOwner().Domain -ne $env:COMPUTERNAME) { + "USER_DETECTED_GROUP: $userdom : $group :" + $proc.name + "`n" + } + } + } + $watchProcesses | foreach { + if($proc.name.tolower() -eq $_.tolower()) { + "PROCESS_DETECTED: $userdom : " + $proc.name + "`n" + } + } + Get-WmiObject Win32_LogicalDisk | Where-Object {($_.DriveType -eq 2) -and ($_.DeviceID -ne 'A:')} | %{ + if( ($proc.path.split(":")[0]+":").tolower() -eq $_.DeviceID) { + "USB_PROCESS_DETECTED: " + $proc.path + "`n" + } + } + } + + $groups_members = get_groupmembers $watchGroups + + # Main loop + while($True) { + Sleep 3 + Get-WmiObject win32_process | %{ + process_proc -proc $_ -group_members $groups_members + } + } +} diff --git a/lib/modules/situational_awareness/host/paranoia.py b/lib/modules/situational_awareness/host/paranoia.py new file mode 100644 index 0000000..b9bb091 --- /dev/null +++ b/lib/modules/situational_awareness/host/paranoia.py @@ -0,0 +1,101 @@ +from lib.common import helpers + +class Module: + + def __init__(self, mainMenu, params=[]): + + # metadata info about the module, not modified during runtime + self.info = { + 'Name': 'Invoke-Paranoia', + + 'Author': ['pasv'], + + 'Description': ('Continuously check running processes for the presence of suspicious users, members of groups, process names, and for any processes running off of USB drives.'), + + 'Background' : True, + + 'OutputExtension' : None, + + 'NeedsAdmin' : True, + + 'OpsecSafe' : True, + + 'MinPSVersion' : '2', + + 'Comments': [ + 'http://shell.fishing/code/Invoke-Paranoia.ps1' + ] + } + + # any options needed by the module, settable during runtime + self.options = { + # format: + # value_name : {description, required, default_value} + 'Agent' : { + # The 'Agent' option is the only one that MUST be in a module + 'Description' : 'Agent to deploy Paranoia on.', + 'Required' : True, + 'Value' : '' + }, + 'WatchProcesses' : { + 'Description' : 'Process names to watch out for. Default list is already appended.', + 'Required' : False, + 'Value' : '' + }, + 'WatchUsers' : { + 'Description' : 'Users to watch out for in the form of domain\user, domain\user2, localuser', + 'Required' : False, + 'Value' : '' + }, + 'WatchGroups' : { + 'Description' : 'AD Groups to watch out for (Default is \'Domain Admins\')', + 'Required' : False, + 'Value' : '' + } + } + + # save off a copy of the mainMenu object to access external functionality + # like listeners/agent handlers/etc. + self.mainMenu = mainMenu + + # During instantiation, any settable option parameters + # are passed as an object set to the module and the + # options dictionary is automatically set. This is mostly + # in case options are passed on the command line + if params: + for param in params: + # parameter format is [Name, Value] + option, value = param + if option in self.options: + self.options[option]['Value'] = value + + + def generate(self): + # if you're reading in a large, external script that might be updates, + # use the pattern below + # read in the common module source code + moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/host/Invoke-Paranoia.ps1" + try: + f = open(moduleSource, 'r') + except: + print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) + return "" + + moduleCode = f.read() + f.close() + + script = moduleCode + + script += "Invoke-Paranoia " + + # add any arguments to the end execution of the script + for option,values in self.options.iteritems(): + if option.lower() != "agent": + if values['Value'] and values['Value'] != '': + if values['Value'].lower() == "true": + # if we're just adding a switch + script += " -" + str(option) + else: + script += " -" + str(option) + " " + str(values['Value']) + + return script \ No newline at end of file